Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Re: Trojan Horse Agent_r.ATS?
Page 1 of 2 12››
November 26, 2011 03:15 Trojan Horse Agent_r.ATS? #182426
Reply with Quote | Quick Reply | Top
bobby62226

Avatar

Novice
Join Date: 26.11.2011
Posts: 1
Hello need some assistance. Recently been noticing a lot of blocked Trojan programs while browsing the internet or simply playing a game. I decided to boot computer in safe mode go to my user/temp data folder and proceed to delete any odd executable files. I am very careful in what I delete only deleting files named sduhgsduighsduig.exe and so forth. Next I scanned my computer and even more Trojan files were removed but one is left. I keep scanning but it wont go away.

C:\Windows\System32\drivers
etbt.sys Trojan horse Agent_r.ATS

I am using vista and my AVG version is 10.0.0.1295
November 26, 2011 03:58 Re: Trojan Horse Agent_r.ATS? #182430
Reply with Quote | Quick Reply | Top
Lobster1187

Avatar

Novice
Join Date: 26.11.2011
Posts: 1
mrxsmb.sys Is Trojan Horse Agent_r.ats?..

Hello,

First let me say thanks for taking the time to read this and for trying to help me out.
The other day I was getting an "exploit backdoor exploit" warning. I bugged out and did a scan. 20 some trojans appeared and I managed to get rid of all but (i think) one or two with AVG and Malwarebytes anti malware.

I am now getting the warnings: Trojan Horse Agent_r.ats detected on open C:\windows\system32\drivers\mrxsmb.sys and one in a system restore point.

I have disabled system restore points and ran GMER (log attached). I tried running an anti rootkit program but it bluescreens me or just locks up.

Mrxsmb.sys is whitelisted. When I click that file in windows explore, I get the warning popping up. It occasionally pops up by itself, and I am getting odd harddrive activity, even when no programs are running, that I cant track down. I'm running Xp 32bit sp 3, AVG free 2012. If you need anymore info let me know.

Thanks again for any help you can give me!
November 26, 2011 07:50 Re: Trojan Horse Agent_r.ATS? #182437
Reply with Quote | Quick Reply | Top
hello_liz

Avatar

Novice
Join Date: 26.11.2011
Posts: 1
I did a full system scan on my computer with avg and got the results as the serial.sys file infected with trojan horse agent_r.ATS. I can't delete this because the computer needs it, so how can i get rid of it? I don't have a recovery disc or another computer in the house so I can't replace it with an uninfected file.

Also I have scanned the serial.sys file with SUPERAntiSpyware free edition and clamwin. Both of them said the file was fine. How come these two programs did not detect the trojan horse agent_r.ATS and AVG did?
November 26, 2011 12:27 Re: Trojan Horse Agent_r.ATS? #182455
Reply with Quote | Quick Reply | Top
markony7

Avatar

Novice
Join Date: 26.11.2011
Posts: 3
trojan..

hi, I have a similar problem. avg shows Trojans in recycle bin, but its empty!!! how to solve this problem?? thank you
November 26, 2011 19:21 Re: Trojan Horse Agent_r.ATS? #182506
Reply with Quote | Quick Reply | Top
LegalITGuy

Avatar

Novice
Join Date: 26.11.2011
Posts: 3
markony7 wrote
trojan..

hi, I have a similar problem. avg shows Trojans in recycle bin, but its empty!!! how to solve this problem?? thank you

Agent_r.ATS is a new variant of Agent_r.AKS.
It infects redbook.sys
It infects searchindexer.exe
i plants bogus exes in the WIndows\System32 folder:
ping.exe
ping6.exe
pathping.exe

it seems to make several registry entries. WHen you execute a ping, or a ping6 (IPV6) the trojan is triggered. SInce ping may be triggered by many web pages - particularly ones that use media - this will have a huge impact on watching streaming video, and it is too new for AVG to fix - it can only remove the infected files after infection. There is an as yet unidentified dropper that must be kept from executing and creating the above files. Deleting those files identified will do no good, as the dropper will recreate them instantly. I have disabled the trojan by creating bogus files of 1K length that are set to read only, and put them in the locations where the dropper intends to put its payload. So far, this has kept the dropper from succeeding, but I have yet to find the dropper.
AVG needs to include this new variant quickly
LegalITGuy - you think YOU have problems with security, try doing it for an office full of the nations top attorneys!
November 26, 2011 19:31 Re: Trojan Horse Agent_r.ATS? #182508
Reply with Quote | Quick Reply | Top
LegalITGuy

Avatar

Novice
Join Date: 26.11.2011
Posts: 3
bobby62226 wrote
Hello need some assistance. Recently been noticing a lot of blocked Trojan programs while browsing the internet or simply playing a game. I decided to boot computer in safe mode go to my user/temp data folder and proceed to delete any odd executable files. I am very careful in what I delete only deleting files named sduhgsduighsduig.exe and so forth. Next I scanned my computer and even more Trojan files were removed but one is left. I keep scanning but it wont go away.

C:\Windows\System32\drivers
etbt.sys Trojan horse Agent_r.ATS

I am using vista and my AVG version is 10.0.0.1295

Agent_r.ATS is a new variant of Agent_r.AKS.
On my machines it infects redbook.sys. I do not have etbt.sys. It seems likely that the dropper is looking in that directory for a .sys already in use and replaces it.
On my machine it infects searchindexer.exe
it plants bogus exes in the Windows\System32 folder:
ping.exe
ping6.exe
pathping.exe

it seems to make several registry entries. WHen you execute a ping, or a ping6 (IPV6) the trojan is triggered. SInce ping may be triggered by many web pages - particularly ones that use media - this will have a huge impact on watching streaming video, and it is too new for AVG to fix - it can only remove the infected files after infection. There is an as yet unidentified dropper that must be kept from executing and creating the above files. Deleting those files identified will do no good, as the dropper will recreate them instantly. I have disabled the trojan by creating bogus files of 1K length that are set to read only, and put them in the locations where the dropper intends to put its payload. So far, this has kept the dropper from succeeding, but I have yet to find the dropper.

AVG needs to include this new variant quickly - it appears to have first surfaced on 11/24/2011 and there has been no update from AVG that includes ability to stop the dropper. It is only detecting the infected files after dropped.

November 26, 2011 19:34 Re: Trojan Horse Agent_r.ATS? #182510
Reply with Quote | Quick Reply | Top
LegalITGuy

Avatar

Novice
Join Date: 26.11.2011
Posts: 3
Lobster1187 wrote
Hello,

First let me say thanks for taking the time to read this and for trying to help me out.
The other day I was getting an "exploit backdoor exploit" warning. I bugged out and did a scan. 20 some trojans appeared and I managed to get rid of all but (i think) one or two with AVG and Malwarebytes anti malware.

I am now getting the warnings: Trojan Horse Agent_r.ats detected on open C:\windows\system32\drivers\mrxsmb.sys and one in a system restore point.

I have disabled system restore points and ran GMER (log attached). I tried running an anti rootkit program but it bluescreens me or just locks up.

Mrxsmb.sys is whitelisted. When I click that file in windows explore, I get the warning popping up. It occasionally pops up by itself, and I am getting odd harddrive activity, even when no programs are running, that I cant track down. I'm running Xp 32bit sp 3, AVG free 2012. If you need anymore info let me know.

Thanks again for any help you can give me!

This is already in another thread in this forum. I normally do a search first, then leave a new thread if nothing pertains. Instead of repeating what i found about this, I will wait for AVGs official reply on this new variant of Agent_r.AKS (i actually have never seen a malware remover for that trojan either, but am hoping that AVG addresses this new variant FAST.)
November 29, 2011 12:09 Re: Trojan Horse Agent_r.ATS? #182800
Reply with Quote | Quick Reply | Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8235
Hello all,

Please try updated AVG Rescue CD to see if it solve your situation.

If it doesn't solve your situation please provide us with GMER scan results and Msinfo output to better analyze.

Thank you
___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us
November 30, 2011 20:38 Re: Trojan Horse Agent_r.ATS? #183015
Reply with Quote | Quick Reply | Top
Hadji427

Avatar

Novice
Join Date: 30.11.2011
Posts: 1
I have the same situation with the r.ATS; where it is whitelisted and can't be removed. AVG has blocked the file and won't allow me access to it, so that's cool. I have been able to reboot and go about my normal work, so I didn't run the Rescue CD. (I'm not skilled at this at all and don't want to damage my comp further) So I included the GMER results and hopefully that will help find a solution.

Thanks,

Hadji427
December 1, 2011 03:36 Re: Trojan Horse Agent_r.ATS? #183049
Reply with Quote | Quick Reply | Top
Stratadrake

Avatar

Novice
Join Date: 18.11.2009
Posts: 6
Agent_R.ARN, ATS, etc...

My system has also picked up a few ARN and ATS variants of this trojan in the past week. I wonder what other aliases it goes by, because other vendor tools like Combofix and TDSSKiller have labelled the file(s) in question as infected by "Rootkit.ZeroAccess" -- and after cleaning it out, AVG no longer reports any threats.
Page 1 of 2 12››